confused with ssl settings and some error - need help

Poliman - Serwis serwis at poliman.pl
Thu Apr 27 12:00:17 EEST 2017


I turned of ssl_cipher_list in dovecot.conf file (so it's default) but test
still gives errors:
Apr 27 08:55:06 serwer-1 dovecot: pop3-login: Error: SSL: Stacked error:
error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
Apr 27 08:55:06 serwer-1 dovecot: pop3-login: Error: SSL: Stacked error:
error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
Apr 27 08:55:07 serwer-1 dovecot: pop3-login: Error: SSL: Stacked error:
error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number
Apr 27 08:55:07 serwer-1 dovecot: pop3-login: Error: SSL: Stacked error:
error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number
Apr 27 08:55:15 serwer-1 dovecot: imap-login: Error: SSL: Stacked error:
error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record
mac
Apr 27 08:55:15 serwer-1 dovecot: pop3-login: Error: SSL: Stacked error:
error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record
mac
Apr 27 08:55:17 serwer-1 dovecot: imap-login: Error: SSL: Stacked error:
error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record
mac
Apr 27 08:55:17 serwer-1 dovecot: pop3-login: Error: SSL: Stacked error:
error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record
mac
Apr 27 08:55:18 serwer-1 dovecot: imap-login: Error: SSL: Stacked error:
error:1408A0E3:SSL routines:ssl3_get_client_hello:parse tlsext
Apr 27 08:55:18 serwer-1 dovecot: imap-login: Error: SSL: Stacked error:
error:1408A0E3:SSL routines:ssl3_get_client_hello:parse tlsext
Apr 27 08:55:19 serwer-1 dovecot: pop3-login: Error: SSL: Stacked error:
error:1408A0E3:SSL routines:ssl3_get_client_hello:parse tlsext


2017-04-27 10:34 GMT+02:00 Poliman - Serwis <serwis at poliman.pl>:

> Cipher list which You post provide better compatibility or security than
> those which I currently have?
> On older software version these cipher list works well and not generate
> any errors when I run Internal PCI scan test from
> https://cloud.tenable.com for another server. But for new server with
> newer software during test I got errors in mail.err.
>
> 2017-04-27 10:00 GMT+02:00 Aki Tuomi <aki.tuomi at dovecot.fi>:
>
>>
>> > On April 27, 2017 at 10:55 AM Poliman - Serwis <serwis at poliman.pl>
>> wrote:
>> >
>> >
>> > Thank You for answers. But:
>> > 1. How should be properly configured ssl_cipher_list?
>>
>> ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNU
>> LL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW at STRENGTH
>>
>> To disable non-EC DH, use:
>>
>> ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:
>> !aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW at STRENGTH
>>
>> > 2. Ok, removed !TLSv1 !TLSv1.1.
>> > 3. Strange thing with ssl_protocols and ssl_cipher_list, because on
>> older
>> > server on Ubuntu 14.04 LTS, dovecot 2.2.9 and postfix 2.11.0 these two
>> > lines looks exactly this same and no errors in mail.err file and mailes
>> > works without any problem.
>> > 4. No, currently I don't use LMTP.
>>
>> it is possible that postfix is not causing this error.
>>
>> >
>> > 2017-04-27 8:25 GMT+02:00 Aki Tuomi <aki.tuomi at dovecot.fi>:
>> >
>> > >
>> > > > On April 27, 2017 at 8:12 AM Poliman - Serwis <serwis at poliman.pl>
>> wrote:
>> > > >
>> > > >
>> > > > Hi,
>> > > > To default dovecot.conf file I added (based on found documentation):
>> > > > ssl = required
>> > > > disable_plaintext_auth = yes     #change default 'no' to 'yes'
>> > > > ssl_prefer_server_ciphers = yes
>> > > > ssl_options = no_compression
>> > > > ssl_dh_parameters_length = 2048
>> > > > ssl_cipher_list =
>> > > > ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:
>> > > ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:
>> > > DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+
>> > > AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-
>> > > SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-
>> > > RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-
>> > > AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-
>> > > RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:
>> > > DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:
>> > > AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-
>> > > SHA:AES256-SHA:AES:CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!
>> > > RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-
>> > > CBC3-SHA:!KRB5-DES-CBC3-SHA
>> > > >
>> > >
>> > > This looks rather cumbersome way to define ciphers.
>> > >
>> > > > 1. Are these settings good or can be improved?
>> > > > 2. Is this line proper:
>> > > > ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
>> > >
>> > > Well if you only want to support TLSv1.2, which might lead into
>> trouble.
>> > >
>> > > > or maybe should be:
>> > > > ssl_protocols = !SSLv2 !SSLv3
>> > > > 3. Last thing. I have below errors (they appear in loop in mail.err
>> log
>> > > > file):
>> > > > #Apr 25 14:08:09 serwer-1 dovecot: imap-login: Error: SSL: Stacked
>> error:
>> > > > error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
>> > > > #Apr 25 14:08:09 serwer-1 dovecot: imap-login: Error: SSL: Stacked
>> error:
>> > > > error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version
>> number
>> > > > #Apr 25 14:08:51 serwer-1 dovecot: imap-login: Error: SSL: Stacked
>> error:
>> > > > error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or
>> bad
>> > > record
>> > > > mac
>> > > > #Apr 25 14:08:51 serwer-1 dovecot: imap-login: Error: SSL: Stacked
>> error:
>> > > > error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher
>> > >
>> > > This means your client did not support your enabled ciphers.
>> > >
>> > > >
>> > > > When I setup in postfix main.cf file (other lines default):
>> > > > tls_ssl_options = no_ticket, no_compression
>> > > > tls_preempt_cipherlist = yes
>> > > > smtpd_sasl_security_options=noanonymous,noplaintext
>> > > > smtpd_sasl_tls_security_options=noanonymous,noplaintext
>> > > > smtpd_tls_mandatory_ciphers = high
>> > > > smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem
>> > > > #instead of below I tried smtpd_tls_mandatory_exclude_ciphers but I
>> > > don't
>> > > > know what should be setup
>> > > > smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5,
>> PSK,
>> > > > aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA,
>> > > ECDHE-RSA-DES-CBC3-SHA,
>> > > > DES-CBC3-SHA, RC4-MD5, RC4-SHA, ECDHE-RSA-RC4-SHA
>> > > > smtp_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK,
>> > > aECDH,
>> > > > EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, ECDHE-RSA-DES-CBC3-SHA,
>> > > > DES-CBC3-SHA, RC4-MD5, RC4-SHA, ECDHE-RSA-RC4-SHA
>> > > >
>> > > > Is between dovecot and postfix some communication using above
>> ciphers or
>> > > > something that generate that errors in log or maybe some public
>> client
>> > > try
>> > > > connect and can't establish connection?
>> > > >
>> > >
>> > > If you are using LMTP, then some of those settings will cause changes
>> in
>> > > how LMTP works as well.
>> > >
>> > >
>> > > > Server with Ubuntu 16.04 LTS, postfix 3.1 and dovecot 2.2.22 and
>> openssl
>> > > > 1.0.2k.
>> > > > --
>> > > >
>> > > > *Pozdrawiam / Best Regards*
>> > > > *Piotr Bracha*
>> > > >
>> > > >
>> > > >
>> > > >
>> > > > *tel. 534 555 877*
>> > > >
>> > > > *serwis at poliman.pl <serwis at poliman.pl>*
>> > >
>> > > Aki
>> > >
>> >
>> >
>> >
>> > --
>> >
>> > *Pozdrawiam / Best Regards*
>> > *Piotr Bracha*
>> >
>> >
>> >
>> >
>> > *tel. 534 555 877*
>> >
>> > *serwis at poliman.pl <serwis at poliman.pl>*
>>
>
>
>
> --
>
> *Pozdrawiam / Best Regards*
> *Piotr Bracha*
>
>
>
>
> *tel. 534 555 877*
>
> *serwis at poliman.pl <serwis at poliman.pl>*
>



-- 

*Pozdrawiam / Best Regards*
*Piotr Bracha*




*tel. 534 555 877*

*serwis at poliman.pl <serwis at poliman.pl>*


More information about the dovecot mailing list